pony | f0411a95073a77a791a74fcef268e77305bb95b11684fb59309ed443d0e7dd64

Analysis

max time kernel
147s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 14:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe
Size

2.2MB
MD5

678911217d4f9a308058f53e7e0f2236
SHA1

053884188836c57e810e0be9d43be6ef475b12e0
SHA256

f0411a95073a77a791a74fcef268e77305bb95b11684fb59309ed443d0e7dd64
SHA512

7938c6a401e4ac1e154bb3020688d0bf667010cba3d326215a9d5fc269cbc440680bd230311eb1e1368c818d794ba1d5f578b1b5c796851438065d8a12404c52
SSDEEP

24576:0UzNkyrbtjbGixCOPKH2I1iIWILtfOIJ+HKodCHPC0cF3u7P1+eWQ8f/x52vHNZX:0UzeyQMS4DqodCnoe+iitjWwwD

Score

10^/10

pony evasion persistence rat spyware stealer

Malware Config

Extracted

Family

pony

http://don.service-master.eu/gate.php

Attributes

payload_url
http://don.service-master.eu/shit.exe

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\shell = "C:\\Windows\\explorer.exe, c:\\windows\\system\\explorer.exe"	explorer.exe

Modifies visiblity of hidden/system files in Explorer 2 TTPs 1 IoCs

evasion

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = "0"	explorer.exe

Pony,Fareit
Pony is a Remote Access Trojan application that steals information.
rat spyware stealer pony

Modifies Installed Components in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{Y479C6D0-OTRW-U5GH-S1EE-E0AC10B4E666}\StubPath = "C:\\Users\\Admin\\AppData\\Roaming\\mrsys.exe MR"	explorer.exe

Drops startup file 2 IoCs

Processes:

678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe	678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe	678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe

Executes dropped EXE 64 IoCs

Processes:

explorer.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

pid	process
1780	explorer.exe
1604	explorer.exe
4672	spoolsv.exe
436	spoolsv.exe
1568	spoolsv.exe
732	spoolsv.exe
4316	spoolsv.exe
1616	spoolsv.exe
1212	spoolsv.exe
4996	spoolsv.exe
4576	spoolsv.exe
3552	spoolsv.exe
2888	spoolsv.exe
4208	spoolsv.exe
2268	spoolsv.exe
2024	spoolsv.exe
1396	spoolsv.exe
3992	spoolsv.exe
1524	spoolsv.exe
4348	spoolsv.exe
2272	spoolsv.exe
924	spoolsv.exe
1980	spoolsv.exe
1348	spoolsv.exe
4356	spoolsv.exe
4612	spoolsv.exe
4616	spoolsv.exe
508	spoolsv.exe
3988	spoolsv.exe
5076	spoolsv.exe
1368	spoolsv.exe
1820	spoolsv.exe
4480	spoolsv.exe
4028	spoolsv.exe
4852	spoolsv.exe
4724	spoolsv.exe
4708	spoolsv.exe
5144	spoolsv.exe
5248	spoolsv.exe
5288	explorer.exe
5360	spoolsv.exe
5440	spoolsv.exe
5520	spoolsv.exe
5576	spoolsv.exe
5652	spoolsv.exe
5716	spoolsv.exe
5920	spoolsv.exe
5912	spoolsv.exe
3088	spoolsv.exe
4424	spoolsv.exe
4968	explorer.exe
5372	spoolsv.exe
5320	spoolsv.exe
2836	spoolsv.exe
1336	spoolsv.exe
5728	spoolsv.exe
5908	spoolsv.exe
6040	explorer.exe
6072	spoolsv.exe
212	spoolsv.exe
2264	spoolsv.exe
5308	spoolsv.exe
5128	spoolsv.exe
5536	spoolsv.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

explorer.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Explorer = "c:\\windows\\system\\explorer.exe RO"	explorer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\Svchost = "c:\\windows\\system\\svchost.exe RO"	explorer.exe

Suspicious use of SetThreadContext 62 IoCs

Processes:

678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	pid	process	target process
PID 220 set thread context of 1612	220	678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe	678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe
PID 1780 set thread context of 1604	1780	explorer.exe	explorer.exe
PID 4672 set thread context of 5248	4672	spoolsv.exe	spoolsv.exe
PID 436 set thread context of 5360	436	spoolsv.exe	spoolsv.exe
PID 1568 set thread context of 5440	1568	spoolsv.exe	spoolsv.exe
PID 732 set thread context of 5520	732	spoolsv.exe	spoolsv.exe
PID 4316 set thread context of 5576	4316	spoolsv.exe	spoolsv.exe
PID 1616 set thread context of 5652	1616	spoolsv.exe	spoolsv.exe
PID 1212 set thread context of 5716	1212	spoolsv.exe	spoolsv.exe
PID 4996 set thread context of 5920	4996	spoolsv.exe	spoolsv.exe
PID 4576 set thread context of 3088	4576	spoolsv.exe	spoolsv.exe
PID 3552 set thread context of 4424	3552	spoolsv.exe	spoolsv.exe
PID 2888 set thread context of 5372	2888	spoolsv.exe	spoolsv.exe
PID 4208 set thread context of 5320	4208	spoolsv.exe	spoolsv.exe
PID 2268 set thread context of 2836	2268	spoolsv.exe	spoolsv.exe
PID 2024 set thread context of 1336	2024	spoolsv.exe	spoolsv.exe
PID 1396 set thread context of 5908	1396	spoolsv.exe	spoolsv.exe
PID 3992 set thread context of 6072	3992	spoolsv.exe	spoolsv.exe
PID 1524 set thread context of 212	1524	spoolsv.exe	spoolsv.exe
PID 4348 set thread context of 2264	4348	spoolsv.exe	spoolsv.exe
PID 2272 set thread context of 5308	2272	spoolsv.exe	spoolsv.exe
PID 924 set thread context of 5128	924	spoolsv.exe	spoolsv.exe
PID 1980 set thread context of 3968	1980	spoolsv.exe	spoolsv.exe
PID 1348 set thread context of 5596	1348	spoolsv.exe	spoolsv.exe
PID 4356 set thread context of 5656	4356	spoolsv.exe	spoolsv.exe
PID 4612 set thread context of 5760	4612	spoolsv.exe	spoolsv.exe
PID 4616 set thread context of 5824	4616	spoolsv.exe	spoolsv.exe
PID 508 set thread context of 5880	508	spoolsv.exe	spoolsv.exe
PID 3988 set thread context of 5932	3988	spoolsv.exe	spoolsv.exe
PID 5076 set thread context of 6080	5076	spoolsv.exe	spoolsv.exe
PID 1368 set thread context of 5896	1368	spoolsv.exe	spoolsv.exe
PID 1820 set thread context of 5368	1820	spoolsv.exe	spoolsv.exe
PID 4480 set thread context of 5060	4480	spoolsv.exe	spoolsv.exe
PID 4028 set thread context of 5500	4028	spoolsv.exe	spoolsv.exe
PID 4852 set thread context of 5528	4852	spoolsv.exe	spoolsv.exe
PID 4724 set thread context of 4876	4724	spoolsv.exe	spoolsv.exe
PID 4708 set thread context of 5984	4708	spoolsv.exe	spoolsv.exe
PID 5144 set thread context of 2112	5144	spoolsv.exe	spoolsv.exe
PID 5288 set thread context of 4336	5288	explorer.exe	explorer.exe
PID 5912 set thread context of 1492	5912	spoolsv.exe	spoolsv.exe
PID 4968 set thread context of 2504	4968	explorer.exe	explorer.exe
PID 5728 set thread context of 5640	5728	spoolsv.exe	spoolsv.exe
PID 6040 set thread context of 3260	6040	explorer.exe	explorer.exe
PID 5424 set thread context of 960	5424	explorer.exe	explorer.exe
PID 5536 set thread context of 5148	5536	spoolsv.exe	spoolsv.exe
PID 4548 set thread context of 5240	4548	explorer.exe	explorer.exe
PID 4468 set thread context of 4740	4468	spoolsv.exe	spoolsv.exe
PID 6036 set thread context of 1088	6036	spoolsv.exe	spoolsv.exe
PID 5892 set thread context of 5704	5892	explorer.exe	explorer.exe
PID 5208 set thread context of 5192	5208	spoolsv.exe	spoolsv.exe
PID 5460 set thread context of 5800	5460	spoolsv.exe	spoolsv.exe
PID 432 set thread context of 5180	432	spoolsv.exe	spoolsv.exe
PID 3340 set thread context of 5936	3340	spoolsv.exe	spoolsv.exe
PID 3692 set thread context of 6020	3692	spoolsv.exe	spoolsv.exe
PID 2184 set thread context of 6092	2184	spoolsv.exe	spoolsv.exe
PID 1772 set thread context of 2032	1772	spoolsv.exe	spoolsv.exe
PID 1244 set thread context of 2672	1244	spoolsv.exe	spoolsv.exe
PID 2012 set thread context of 4568	2012	explorer.exe	explorer.exe
PID 5220 set thread context of 4840	5220	spoolsv.exe	spoolsv.exe
PID 5552 set thread context of 2328	5552	spoolsv.exe	spoolsv.exe
PID 2972 set thread context of 1168	2972	spoolsv.exe	spoolsv.exe
PID 4824 set thread context of 5388	4824	spoolsv.exe	spoolsv.exe

Drops file in Windows directory 64 IoCs

Processes:

spoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exe678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exeexplorer.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exespoolsv.exe

description	ioc	process
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	\??\c:\windows\system\explorer.exe	678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	\??\c:\windows\system\explorer.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	explorer.exe
File opened for modification	C:\Windows\system\udsys.exe	explorer.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe
File opened for modification	C:\Windows\Parameters.ini	spoolsv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exeexplorer.exe

pid	process
1612	678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe
1612	678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

explorer.exe

pid process

1604 explorer.exe

pid	process
1604	explorer.exe

Suspicious use of SetWindowsHookEx 64 IoCs

Processes:

pid	process
1612	678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe
1612	678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
1604	explorer.exe
5248	spoolsv.exe
5248	spoolsv.exe
5360	spoolsv.exe
5360	spoolsv.exe
5440	spoolsv.exe
5440	spoolsv.exe
5520	spoolsv.exe
5520	spoolsv.exe
5576	spoolsv.exe
5576	spoolsv.exe
5652	spoolsv.exe
5652	spoolsv.exe
5716	spoolsv.exe
5716	spoolsv.exe
5920	spoolsv.exe
5920	spoolsv.exe
3088	spoolsv.exe
3088	spoolsv.exe
4424	spoolsv.exe
4424	spoolsv.exe
5372	spoolsv.exe
5372	spoolsv.exe
5320	spoolsv.exe
5320	spoolsv.exe
2836	spoolsv.exe
2836	spoolsv.exe
1336	spoolsv.exe
1336	spoolsv.exe
5908	spoolsv.exe
5908	spoolsv.exe
6072	spoolsv.exe
6072	spoolsv.exe
212	spoolsv.exe
212	spoolsv.exe
2264	spoolsv.exe
2264	spoolsv.exe
5308	spoolsv.exe
5308	spoolsv.exe
5128	spoolsv.exe
5128	spoolsv.exe
3968	spoolsv.exe
3968	spoolsv.exe
5596	spoolsv.exe
5596	spoolsv.exe
5656	spoolsv.exe
5656	spoolsv.exe
5760	spoolsv.exe
5760	spoolsv.exe
5824	spoolsv.exe
5824	spoolsv.exe
5880	spoolsv.exe
5880	spoolsv.exe
5932	spoolsv.exe
5932	spoolsv.exe
6080	spoolsv.exe
6080	spoolsv.exe
5896	spoolsv.exe
5896	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exeexplorer.exeexplorer.exe

description	pid	process	target process
PID 220 wrote to memory of 3028	220	678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe	splwow64.exe
PID 220 wrote to memory of 3028	220	678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe	splwow64.exe
PID 220 wrote to memory of 1612	220	678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe	678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe
PID 220 wrote to memory of 1612	220	678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe	678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe
PID 220 wrote to memory of 1612	220	678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe	678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe
PID 220 wrote to memory of 1612	220	678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe	678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe
PID 220 wrote to memory of 1612	220	678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe	678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe
PID 1612 wrote to memory of 1780	1612	678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe	explorer.exe
PID 1612 wrote to memory of 1780	1612	678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe	explorer.exe
PID 1612 wrote to memory of 1780	1612	678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe	explorer.exe
PID 1780 wrote to memory of 1604	1780	explorer.exe	explorer.exe
PID 1780 wrote to memory of 1604	1780	explorer.exe	explorer.exe
PID 1780 wrote to memory of 1604	1780	explorer.exe	explorer.exe
PID 1780 wrote to memory of 1604	1780	explorer.exe	explorer.exe
PID 1780 wrote to memory of 1604	1780	explorer.exe	explorer.exe
PID 1604 wrote to memory of 4672	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 4672	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 4672	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 436	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 436	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 436	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 1568	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 1568	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 1568	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 732	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 732	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 732	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 4316	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 4316	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 4316	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 1616	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 1616	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 1616	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 1212	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 1212	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 1212	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 4996	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 4996	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 4996	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 4576	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 4576	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 4576	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 3552	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 3552	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 3552	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 2888	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 2888	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 2888	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 4208	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 4208	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 4208	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 2268	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 2268	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 2268	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 2024	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 2024	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 2024	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 1396	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 1396	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 1396	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 3992	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 3992	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 3992	1604	explorer.exe	spoolsv.exe
PID 1604 wrote to memory of 1524	1604	explorer.exe	spoolsv.exe

C:\Users\Admin\AppData\Local\Temp\678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe"
1⤵
- Drops startup file
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:220

C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
2⤵
PID:3028

C:\Users\Admin\AppData\Local\Temp\678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\678911217d4f9a308058f53e7e0f2236_JaffaCakes118.exe"
2⤵
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1612

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1780

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
4⤵
- Modifies WinLogon for persistence
- Modifies visiblity of hidden/system files in Explorer
- Modifies Installed Components in the registry
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1604

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4672

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5248

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:5288

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:436

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5360

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1568

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:732

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5520

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4316

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5576

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1616

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5652

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1212

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5716

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4996

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5920

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4576

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:3088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3552

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:4424

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4968

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:2504

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2888

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5372

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4208

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5320

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2268

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2836

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2024

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:1336

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1396

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5908

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:6040

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:3260

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3992

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:6072

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1524

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:212

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:4348

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:2264

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2272

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5308

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:924

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Executes dropped EXE
- Suspicious use of SetWindowsHookEx
PID:5128

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1980

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:3968

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Suspicious use of SetThreadContext
PID:5424

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:960

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1348

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:5596

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4356

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:5656

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4612

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:5760

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4616

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:5824

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:508

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:5880

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3988

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:5932

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5076

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:6080

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Suspicious use of SetThreadContext
PID:4548

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:5240

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1368

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
- Suspicious use of SetWindowsHookEx
PID:5896

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1820

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5368

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4480

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4028

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5500

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4852

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5528

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4724

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4876

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4708

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5984

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Suspicious use of SetThreadContext
PID:5892

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:5704

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5144

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2112

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2012

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:4568

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5912

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1492

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:1680

\??\c:\windows\system\explorer.exe
"c:\windows\system\explorer.exe"
8⤵
PID:6032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5728

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5640

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:908

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5536

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5148

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:3680

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
PID:4468

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4740

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
- Drops file in Windows directory
PID:5188

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:6036

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1088

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
PID:5208

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
PID:5460

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5800

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:432

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5180

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3340

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5936

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:3692

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:6020

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2184

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:6092

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1772

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2032

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:1244

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
PID:5220

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:4840

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:5552

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:2328

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:2972

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1168

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Suspicious use of SetThreadContext
- Drops file in Windows directory
PID:4824

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:5388

\??\c:\windows\system\explorer.exe
c:\windows\system\explorer.exe
7⤵
PID:5564

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:2876

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:1440

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5316

\??\c:\windows\system\spoolsv.exe
"c:\windows\system\spoolsv.exe"
6⤵
PID:3428

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:2740

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3084

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4192

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5672

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:5296

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5808

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:6052

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:4104

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:6108

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
- Drops file in Windows directory
PID:5060

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:4856

\??\c:\windows\system\spoolsv.exe
c:\windows\system\spoolsv.exe SE
5⤵
PID:3324

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k PrintWorkflow -s PrintWorkflowUserSvc
1⤵
PID:1968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Parameters.ini
Filesize
74B

MD5
6687785d6a31cdf9a5f80acb3abc459b

SHA1
1ddda26cc18189770eaaa4a9e78cc4abe4fe39c9

SHA256
3b5ebe1c6d4d33c14e5f2ca735fc085759f47895ea90192999a22a035c7edc9b

SHA512
5fe9429d64ee6fe0d3698cabb39757729b48d525500afa5f073d69f14f791c8aa2bc7ce0467d48d66fc58d894983391022c59035fa67703fefd309ec4a5d9962

Download Submit
C:\Windows\System\explorer.exe
Filesize
2.2MB

MD5
dad3d1f2ef93fbac696fab740e44bd96

SHA1
ad6083ad0edfb05b4df7a85076ddaeee1ae23f0e

SHA256
ec519ead19965d88e533b7f86db2e2ff5fcca98c2d555fc440c2f4303324b0df

SHA512
0ba48fd724a38f91432ff934dbf4b7d963681f31d0dbed77ecaabeff3aebba2b837b857dc551487ca4d833b0c944bb04a7b85524b85b0399e50b1649c952c702

Download Submit
C:\Windows\System\spoolsv.exe
Filesize
2.2MB

MD5
05634f3036c119650c51387ac5522cb5

SHA1
cfbe0d3d74281d8e4f899cd3dc2ec0e8e7f6aaf2

SHA256
4e7a2d796959ff63a1ba41dca5431778f99a6e7aef1fd0cc855a22fad9bc3d5a

SHA512
c93a77d81673d26082d3c1bb3160a5ca319638dfeb1d6b9cfc9ad96c18d829f37868f4dacd7d2b1ac18557d6ea9b993a5ee4b0cc5dada0404dd19514ab4ab732

Download Submit
memory/212-2889-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/212-2893-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/220-46-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/220-48-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/220-53-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/220-0-0x00000000007D0000-0x00000000007D1000-memory.dmp

Filesize
4KB

Download
memory/436-2480-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/436-1107-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/508-2489-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/732-1299-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/924-2364-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/960-4993-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1088-5437-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1212-1492-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1348-2468-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1396-1942-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1492-4531-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1492-4442-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1524-2123-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1568-1298-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1568-2493-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1604-1105-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1604-120-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1604-5765-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1612-103-0x0000000000440000-0x0000000000509000-memory.dmp

Filesize
804KB

Download
memory/1612-49-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1612-52-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1612-105-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/1616-1491-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1780-121-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1780-116-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/1980-2365-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2024-1941-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2112-4160-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2264-2902-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2268-1940-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2272-2363-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/2504-4473-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2672-5526-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2888-1721-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3088-2646-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3260-4666-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3428-5766-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3428-5770-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3552-1720-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/3968-3047-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/3992-2122-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4208-1939-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4316-1300-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4336-4097-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4336-4095-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4348-2124-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4356-2469-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4424-2694-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4424-2853-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4568-5537-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4576-1714-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4612-2477-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4616-2488-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4672-1106-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4672-2471-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/4740-5349-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4840-5545-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4876-3333-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/4996-1493-0x0000000000400000-0x00000000005D3000-memory.dmp

Filesize
1.8MB

Download
memory/5128-2937-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5148-5006-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5148-5114-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5192-5459-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5248-2676-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5248-2470-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5308-2912-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5320-2717-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5320-2713-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5360-2479-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5360-2482-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5368-3300-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5372-2704-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5388-5725-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5440-2496-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5520-2504-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5576-2514-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5596-3057-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5640-4788-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5640-4656-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5652-2524-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5656-3067-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5704-5452-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5716-2532-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5716-2537-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5760-3076-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5800-5468-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5824-3086-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5880-3095-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5896-3293-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5896-3290-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5908-2862-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5908-2985-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5920-2592-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5932-3104-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5932-3118-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5984-3603-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/5984-3460-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6032-5743-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6072-2882-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6072-2878-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6080-3217-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6080-3382-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/6092-5506-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download